b'                            Office of Inspector Gene ral\n                           Corporation for National a nd\n                                    Community Serv~ce\n\n\n\n\n             AUDIT OF THE\n    CORPORATION FOR NATIONAL AND\n         COMMUNITY SERVICE\'S\nFISCAL YEAR 2004 FINANCIAL STATEMENTS\n         MANAGEMENT LETTER\n\n          Audit Report Number 05-02\n               October 29,2004\n\n\n\n\n                                            Corporation for             n\n\n\n\n\n                        Prepared by:\n\n               COTTON & COMPANY LLP\n            333 North Fairfax Street, Suite 401\n                Alexandria, Virginia 22314\n\n\n\n\n This report was issued to Corporation management on December 23, 200\n Under the laws and regulations governing audit follow up, the Corporation is ,\n make final management decisions on the report\'s findings ar\n recommendations no later than June 23, 2005, and complete its correcth\n actions by December 23, 2005. Consequently, the reported findings do nl\n necessarily represent the final resolution of the issues presented.\n\x0c                               Office of Inspector General\n                     Corporation for National and Community Service\n\n                                 Independent Audit of the\n                    Corporation for National and Community Service\'s\n                Fiscal Year 2004 Financial Statements - Management Letter\n                                    Audit Report 05-02\n\n\n\nIntroduction\n\nIn accordance with the Government Corporation Control Act (3 1 U.S.C. $9 9101-lo), the Office\nof Inspector General (OIG) engaged Cotton and Company LLP to audit the Corporation for\nNational and Community Service\'s Fiscal Year 2004 financial statements. Their audit, conducted\nin accordance with government auditing standards, resulted in an unqualified opinion on the\nCorporation\'s financial statements. Audit Report 05-01, Audit of the Corporation for National\nand Community Service\'s Fiscal Year 2004 Financial Statements, describes the basis for the\nopinion as well as a reportable condition: the Corporation\'s monitoring of grantee activities.\nThis reportable condition was not considered to be a material weakness.\n\nDuring the engagement, the auditors also noted certain matters involving the control over\nfinancial reporting and other operational matters that were not considered material weaknesses or\nreportable conditions.     This Management Letter discusses these matters and includes\nrecommendations for corrective action.\n\nThe contract required that the audit be done in accordance with generally accepted government\nauditing standards. In compliance with our statutory responsibilities, we reviewed Cotton &\nCompany\'s reports and related audit documentation, interviewed their representatives, and\nperformed other procedures to provide reasonable assurance that the audit was performed in\naccordance with generally accepted government auditing standards. Our review of cotton &\nCompany\'s work was not intended to enable us to express, and we do not express, opinions on\nthe Corporation\'s financial statements or on conclusions on compliance with laws and\nregulations. Cotton & Company is responsible for the enclosed reports and the conclusions\nexpressed therein. However, our review disclosed no instances where Cotton & Company did not\ncomply, in all material respects, with generally accepted government auditing standards.\n\nWe provided a draft of this report to the Corporation for review and comment. The Corporation\'s\nresponse is included as Appendix A. In its response, the Corporation agreed with the\nrecommendations and stated that corrective action has been completed on many of the matters.\n\x0c                                           auditors advisors\n\n\n\n\nInspector General\nBoard of Directors\nCorporation for National and Community Service\n\n\n                 INDEPENDENT\n                          AUDITOF THE CORPORATIONFOR NATIONAL\n                                                            AND\n                COMMUNITY       FISCALYEAR2004 FINANCIAL\n                        SERVICE\'S                      STATEMENTS\n\n\n\n\nIn planning and performing our audit of the financial statements of the Corporation for National and\nCommunity Service as of and for the year ended September 30,2004, we considered the Corporation\'s\ninternal control to determine auditing procedures for the purpose of expressing an opinion on the financia\nstatements and not to provide assurance on internal control.\n\nDuring the audit, however, we became aware of several matters that present opportunities for\nstrengthening internal control and operating efficiency. We previously reported on the Corporation\'s\ninternal control in our report dated October 29,2004. This letter does not affect our report on the\nfinancial statements of the Corporation dated October 29,2004.\n\nWe will review the status of these comments during our next audit of the Corporation\'s financial\nstatements. We have already discussed many of these comments and suggestions with the Office of the\nInspector General and Corporation staff, and we will be pleased to discuss these comments in further\ndetail at your convenience. Our comments and recommendations are attached.\n\nWe would like to express our appreciation to Corporation representatives who assisted us in completing\nour audit. They were always courteous, helpful, and professional.\n\nVery truly yours,\n\nCOTTON & COMPANY LLP\n\n\nAlan Rosenthal, CPA\nPartner\n\nOctober 29,2004\nAlexandria, Virginia\n\x0c           INDEPENDENT AUDIT OF THE CORPORATION FOR NATIONAL AND\n          COMMUNITY SERVICE\'S FISCAL YEAR 2004 FINANCIAL STATEMENTS\n\n                                      MANAGEMENT LETTER\n\n\nCotton & Company LLP conducted the Fiscal Year (FY) 2004 financial statements audit of the\nCorporation for National and Community Service. During the audit, we became aware of several matters\nthat present opportunities for strengthening internal control and operating efficiency. These matters are\ndiscussed in this management letter in the following categories:\n\n                Grants Management\n                National Service Trust\n                Accounts Receivable and Debt Collection\n                Human Resources and Payroll\n                Vendor Payments\n                General Electronic Data Processing Controls\n                Property\n\nA. GRANTS MANAGEMENT\n\nA.1.    Office of Management and Budget (OMB) Circular A-133 audit findings and their\nresolution are not adequately documented in the A-133 tracking database.\n\nThe Corporation reviews the Federal Audit Clearinghouse (FAC) database during the award approval\nprocess to determine if grantees submitted audit reports to FAC in accordance with OMB Circular A-133\nand to determine if any findings noted relate to the Corporation.\n\nOur review of the A-133 tracking database maintained by the Corporation indicated that the follow-up\nand resolution of audit findings is not consistently documented in the database. Further, existing data\nentries lack adequate supporting documentation. Without this information, we are unable to verify the\ntimeliness of audit resolution.\n\nTo ensure that grantee internal control weaknesses and noncompliance issues are identified and properly\nresolved in a timely manner, we recommend that the Corporation ensure that FAC reviews occur on a\ntimely basis to identify whether weaknesses and compliance problems are noted for grantees prior to the\naward of grant funding. We recommend that personnel responsible for resolution and closure follow up\nwith grantees to ensure that exceptions are corrected promptly. This information should be accurately\ntranscribed into the FAC database, and documentation to support this information must be maintained.\n\nA.2.    Grant closeout procedures do not ensure that projects are closed in a timely manner.\n\nThe Corporation has several policies regarding grant closeout. We noted, however, that effective\ncommunication among grant managers, grant specialists, and grantees does not always occur.\nCorporation personnel attempt to accommodate grantees, which sometimes results in grant closeouts not\nbeing performed in accordance with the Corporation\'s policies for timeliness. A principal cause is the\nfailure by grantees to submit final Financial Status Reports (FSRs) within the allotted 90-day period\nfollowing the end of the grant period.\n\nWe reviewed a sample of 45 closed grant files and noted that 10 files were not closed within 180 days\nfollowing the end of the grant period. Of these 10 files, 5 were attributed to grantees failing to submit\ntheir closeout documents within the allotted 90-day period.\n                                                      1\n\x0cInconsistent closeout procedures place the Corporation at risk of not identifying amounts advanced to\ngrantees that should be returned to the Corporation. Furthermore, inconsistent closeout procedures\nprevent the Corporation from making timely adjustments to financial statements, if necessary.\n\nWe recommend that the Corporation develop a consistent method of identifying expired grants and\nenforce timely administrative closeout of these grants. Further, we recommend that the Corporation\ndevelop timelines for Service Center staff to request required documentation before the expiration date to\nensure that grants are closed out in a timely manner. Also, we recommend that the Corporation\ncommunicate the importance of semiannual FSRs to applicable grantees and perform follow-up\nprocedures when grantees are late.\n\nA.3.    Member files did not always contain required documents.\n\nDuring our review of member files, we requested 45 samples. Our sample encompassed all AmeriCorps\nprograms, consisting of AmeriCorps State, AmeriCorps National, National Civilian Community Corps\n(NCCC), and VISTA. Of the 43 provided, seven samples did not have proper enrollment forms, and eigl-\ndid not have proper exit forms. Additionally, four of the 3 1 AmeriCorps State and National samples did\nnot have time sheets. During member file testing we noted a lack of documentation of proof of\ncitizenship and age eligibility in a number of instances.\n\nWe recommend that the Corporation develop policy guidelines that comply with established regulations\nfor adequate proof of citizenship and age eligibility for NCCC and VISTA. Further, we recommend that\nthe Corporation reinforce its policy and guidance to ensure that member files contain all such documents\nfor all programs.\n\nA.4.    Member enrollment and end-of-term forms are not always processed in a timely manner.\n\nWe reviewed a download of e-SPAN data as of June 30,2004. This data contained 28,l3 1 members whc\nhad completed program requirements during FY 2003 and FY 2004. Of these members, 7,2 16 were not\nexited within 30 days of program completion. Further, it was noted that of 43 members (from the files\nreviewed in A.3. above) who completed programs during FY 2003 and FY 2004, 19 members were not\nenrolled within 30 days of starting service.\n\nDelays in processing member enrollmentlexit information could affect the calculation of the National\nService Trust Award Liability and related expenses.\n\nWe recommend that the Corporation coordinate with Grants Management and Program Offices to\nreemphasize the importance of timely processing member exit information within the allotted 30-day\nperiod following a member\'s completion of service.\n\nB. NATIONAL SERVICE TRUST\n\nB.1.    Interest forbearance procedures are not always followed.\n\nCorporation policies require that interest forbearance payments over $5,000 be approved by the\nSupervisor of the Trust. Ten payments of more than $5,000 were made during FY 2004. The Supervisor\nof the Trust did not approve four of these payments.\n\nWe recommend that the Corporation reemphasize the importance of following this approval policy and\nperiodically conduct reviews of data to ensure that all interest forbearance requests of more than $5,000\nare verified and approved before payment.\n                                                     2\n\x0cB.2.    Trust disbursement procedures are inconsistent.\n\nTrust disbursement procedures for payments to educational institutions require that payments in excess of\n$1,500 be made in two separate amounts. The first payment should be made when course work begins\nand the second payment should be made halfway through the semester. It was noted in four out of six\ninstances tested that when no dates were provided, payments were made in one lump sum.\n\nWe recommend that the Corporation modify the current standard operating procedure to include a\nprocedure on how to process a payment when the institution does not provide adequate information\nregarding start and mid-point dates.\n\nB.3.    VISTA member partial awards are inconsistent.\n\nA review of e-SPAN found one VISTA member and one non-VISTA member received awards without\ncompleting the minimum hours of service required to be eligible for a partial award.\n\nWe recommend that Trust personnel coordinate efforts with the Office of Information Technology (OIT)\nto correct the deficiency in e-SPAN that allowed this condition to occur.\n\nC. ACCOUNTS RECEIVABLE AND DEBT COLLECTION\n\nC.1.    Debt collection activities are inconsistently conducted.\n\nDebt collection activities are not consistently conducted in accordance with Corporation policies and\nprocedures. In three out of 15 delinquent receivables tested, delinquencies aged more than 60 days were\nnot forwarded to Accounting and Financial Management Services for further collection efforts in a timelj\nmanner. We also noted that all requested files could not be produced. Of the files reviewed, one was\nmissing the cost share authorization, and two had not been invoiced.\n\nWe recommend that the Corporation review and emphasize debt collection policies to Corporation staff\nand implement monitoring procedures to ensure that policies are followed. Those procedures should be\nenforced to ensure that files are properly maintained.\n\nD. HUMAN RESOURCES AND PAYROLL\n\nD.1.    Overtime was not always approved in writing.\n\nWe reviewed employee time sheets and noted that overtime was recorded without advance written\napproval in three instances. We verified the policy requiring advance written approval of overtime with\nthe Office of Human Resources. This policy is not clearly documented or correctly applied. Although ar\novertime approval form does exist, it is not consistently used. Failure to attach this form to time sheets\nlimits the monitoring abilities of the timekeeper. Unapproved overtime may be misused by employees\nand may not be budgeted for by supervisors.\n\nWe recommend the Corporation clearly document and distribute its advance written approval policy for\novertime and allow timekeepers to reject employee time sheets without proper attachments.\n\x0cE. VENDOR PAYMENTS\n\nE.1.   Vendor payments are not always disbursed in a timely manner.\n\nDuring the review of procurements, we found disbursements that were paid in excess of 30 days. The\nCorporation appropriately included interest when disbursing these late payments, which prevented\nviolations of the Prompt Payment Act. One reason for the delay is that certain contracts have to be\nverified by several offices to ensure that goods and/or services have been provided before vendor\npayments are made.\n\nWe recommend that the Corporation place stricter controls over responsible offices, reemphasize the\nimportance of timely payments, investigate offices with delinquent payments, and resolve bottlenecks in\nthe disbursement process.\n\nF. GENERAL ELECTRONIC DATA PROCESSING CONTROLS REVIEW\n\nF.1.    Certain general controls on information security are weak.\n\nAs part of the FY 2004 audit, we reviewed controls over systems that process and report information in\nsupport of the Corporation\'s annual financial statements. We also reviewed network access controls usec\nto secure and safeguard financial information traveling over the Corporation\'s network. This review was\nconducted under the guidelines of the Government Accountability Office\'s (GAO) Federal Information\nSystems Control Audit Manual (FISCAM).\n\nThe systems included in our audit were:\n\n                Windows NT and 2000 servers (network);\n                Momentum Financial System;\n                eSPAN; and\n                eGrants.\n\nFor our audit we relied on special publications and guidelines developed by the National Institute of\nStandards and Technology (NIST); guidelines developed by the National Security Agency (NSA);\nguidelines from the Center for Internet Security (CIS); and OMB Circular A-130 (Appendix 111).\n\nIn conducting our review of internal control over information technology (IT), we reviewed controls in\nthe following FISCAM categories:\n\n        rn      Entity-wide security program planning and management;\n                Access controls;\n                Application software development and program change controls;\n                System software controls;\n                Segregation-of-duty controls; and\n                Service continuity controls.\n\nWithin these six review areas, we noted three conditions, as detailed below, in which the information\nsecurity general control environment could be improved. The Corporation often has good security\npractices in place, but it does not have formal, documented policies and procedures in place for all\npractices. We found that technical configuration control weaknesses exist in both the network operating\nsystem and the eSPAN/eGrants database. These technical control deficiencies within the general support\nsystem and major applications weaken controls within financial applications. These weaknesses also\n\x0creduce the reliability, integrity, and confidentiality of the financial data used to prepare the Corporation\'s\nfinancial statements. More specifically, we noted the following three conditions:\n\n    1. The current Windows 2000 domain controllers and a Windows NT member server supporting the\n       eSPAN1eGrants system are not configured in compliance with NIST, NSA, and other Federal\n       regulations. The OIT has not created a minimally acceptable baseline configuration for server\n       operating systems. While many of the vulnerabilities identified in previous audits have been\n       addressed, the remaining weaknesses represent a moderate risk to the Corporation.\n\n    2. The Oracle 8i database supporting the eSPAN and eGrants systems is not configured in\n       compliance with Federal guidance from CIS, NIST, and NSA. During the audit, high-risk\n       vulnerabilities were promptly addressed by Corporation management, but the current\n       configuration still represents a moderate risk. Additionally, OIT has not created a minimally\n       acceptable baseline configuration for the Oracle database management system.\n\n    3. Documentation of policies, procedures, and standards is not in place for some areas, including:\n\n             a. Rules of behavior for the network and major applications.\n             b. The Program manager sign-off requirements to approve system use within certification\n                and accreditation packages.\n             c. Account reviews for all systems.\n             d. Corporation draft policy on Systems Development Life Cycle should be finalized,\n                approved and distributed to OIT personnel.\n             e. Policies prohibiting eating and drinking in the computer room.\n             f. Segregation of incompatible duties for both IT administrative functions and financial dat;\n                management. Documented job descriptions do not accurately reflect assigned duties,\n                responsibilities, and segregation of duties.\n             g. Job rotation or mandatory vacation for key IT personnel.\n             h. Technical training requirements for IT personnel.\n             i. Employee participation in the Corporation\'s security awareness program.\n\nTo correct the above issues, we recommend that the Corporation\'s Office of Information Technology\n(OIT):\n\n    1. Review deficiencies in the Windows 2000 server configurations and take corrective actions to\n       ensure that the configuration is consistent with NIST and NSA guidelines. To correct the\n       Windows NT deficiencies, we recommend that OIT complete its efforts to fully migrate from\n       Windows NT to Windows 2000. Also, OIT should create minimally acceptable baseline\n       configurations for all server operating systems that adequately address security and comply with\n       Federal guidance.\n\n    2. Review deficiencies in the Oracle 8i database configurations. Continue with the planned upgrade\n       of the database to Oracle 9i. Ensure that technical guidance for Federal systems, such as the CIS\n       Benchmark, is followed during and after implementation of the new version of Oracle. Also, 01:\n       should create a minimally acceptable baseline configuration for the Oracle database management\n       system that adequately addresses security and complies with Federal guidance.\n\n    3. Document policies, procedures, and standards as follows:\n\n             a. Continue current efforts to document rules of behavior that apply to all systems. Ensure\n                that all users read and agree to the rules of behavior.\n\x0c                 Continue the current certification and accreditation process. Ensure that the system\n                 owners and program managers officially acknowledge the residual operating risks and\n                 accept the risks of having the particular system in production.\n                 Develop fully documented procedures for the methodology and frequency of account\n                 reviews for the network platforms and financial applications currently conducted by 011\n                 Continue efforts to improve the SDLC methodology. Ensure that the changes made to\n                 the document are approved by senior management and are distributed to affected\n                 personnel for implementation.\n                 Develop a policy that prohibits potentially risky behavior in the computer room,\n                 including eating and drinking.\n                 Document the policy and procedures for segregation of incompatible duties. These\n                 procedures should include reviews for incompatible permissions in all major systems.\n                 The policy should detail required steps for the initial creation of accounts, and should\n                 require account reviews at regularly scheduled intervals.\n                 Create job rotation or mandatory vacation requirements to ensure that critical duties are\n                 performed by more than one person.\n                 Create a training plan for key IT personnel. Ensure that system administrators and\n                 security personnel have sufficient and current training on systems for which they are\n                 responsible. Ensure that training is part of the implementation plan for new and updatec\n                 systems.\n                 Create policy and procedures to ensure that all system users participate in the\n                 Corporation\'s security awareness training program. Active tracking and monitoring of\n                 participation is required to ensure all users participate.\n\n G. PROPERTY\n\n G.1.    Property records between Headquarters and Service Centers do not always agree.\n\n During site visit testing of property at the Southwest and Pacific Service Centers, we noted discrepancier\n between the inventory lists provided by Headquarters and by the Service Centers. Property custodians a\n not aware of all responsibilities associated with property maintenance.\n\n We recommend that the Corporation coordinate property custodian activities and ensure that employees\n review Corporation Policy Number 500 regarding property management.\n\n\n STATUS OF PRIOR-YEAR MANAGEMENT LETTER COMMENTS\n                                                                                                              I\nI Fiscal Year 2003 Management Letter Comment               I Fiscal Year 2004 Status                          h\n A.l Oversight of OMB Circular A- 133 reportinglaudit       This issue remains open.\n findings are not resolved in a timely manner.\n A.2 Grant closeout procedures do not ensure that           This issue remains open.\n projects are closed in a timely manner.\n B.l The process of reviewing Web-Based Reporting           Management has fully implemented\n System (WBRS) Reconciliation Reports should be             corrective actions to address this issue. This\n strengthened.                                              issue is closed.\n B.2 Member end-of-term forms are not always                This issue remains open.\n processed in a timely manner.\n\x0c    Fiscal Year 2003 Management Letter Comment             Fiscal Year 2004 Status\n    B.3 Interest forbearance procedures are not always     This issue remains open.\n    followed.\n                                                           Management has fully implemented\n    in a timely manner.                                    corrective actions to address this issue. This\n                                                           issue is closed.\n                                                           Management has fully implemented\n                                                           corrective actions to address this issue. This\n                                                           issue is closed.\n    C.l VISTA receivables of $30 or less are directly      Management has fully implemented\n    written off.                                           corrective actions to address this issue. This\n                                                           issue is closed.\n    C.2 Debt collection activities are inconsistently      This issue is reported as C. 1 this year and\n    conducted.                                             remains open.\nI C.3 Cost-share agreements are not reconciled in a        Management has fully implemented\nI timely manner, a i d discrepancies exist between eSPAN   corrective actions to address this issue. This\nI and Momentum.                                            issue is closed.\n    D.l Overtime was not always approved in writing.       This issue remains open.\n    D.2. Controls over time sheet reporting are weak in    Management has fully implemented\nI   some instances.                                        corrective actions to address this issue. This\n                                                           issue is closed.\n    E.l Vendor payments are not always disbursed in a      This issue remains open.\nI timely manner.\n1 F.l Certain general controls on information securityGe   This issue remains open; however, several of\n    weak.                                                  the high-risk items identified in FY 2003 have\n                                                           been corrected. Some less significant\n                                                           conditions were noted during the FY 2004\n                                                           review.\n\x0c\x0c                                             CORPORATION\n\n                                             FOR NATIONAL\n                                             -AND     -\n                                             C O M M U N I T Y\n\n\n\n\n     MEMORANDUM\n\n     Date:          December 20,2004\n\n     To:            Carol Bates, Acting Inspector General\n\n     From:          Bill Anderson, Deputy CFO for Financia\n\n     Subject:       Comments on Management Letter\n\n\n     Thank you for the opportunity to comment on the draft management letter on the results of you\n     audit of the Corporation\'s fiscal 2004 financial statements. The Corporation is pleased that it\n     continues to receive a clean opinion on its financial statements and that the audit found continu\n     improvement in our internal controls. The management letter recommends several areas for\n     further improvement. The Corporation\'s response to each recommendation is outlined below.\n     addition, the Corporation has completed action on seven of the 14 recommendations included i\n     the report; therefore, this response serves as notice of final action for those items.\n\n     Corporation Comments\n\n     Finding A . l - OMB Circular A-133 audit documentation. The audit recommends that the\n     Corporation: ensure that FAC reviews occur on a timely basis; follows up with grantees to\n     ensure that exceptions are corrected promptly; accurately transcribes data into the FAC databas\n     and maintains supporting documentation.\n\n     Corporation Response - As the audit noted, Corporation grants staff in the service centers an(\n     at headquarters review the Federal Audit Clearinghouse (FAC) prior to the award of grant\n     funding to identify weaknesses and compliance problems noted in the A-133 audit, if any. If tt\n     FAC review discloses findings grants management specialists note the status of corrective actic\n     This review is documented on the grants officer certification form. However, we agree that\n     documentation of corrective action is not always maintained consistently in the Corporation\'s 1\n     133 audit resolution database. We will bring the grants management specialists together for\n     training on the use and documentation requirements for the Corporation\'s A-1 33 audit resolutic\n     process. The training will be conducted in conjunction with one of the upcoming Grants\n     Management certification classes that we are conducting in the spring or summer of 2005.\n\n\n\n\n1201 New York Ave., N.W Washington, DC 20525 202-606-5000 www.nationalservice.org             "        part(\n                                                                                              U   SAS\n                                                                                              Freedom Coq\n                                  Senior Corps      AmeriCorps   Learn and Serve America\n                                                                                              The Prcs~dent< all to Service\n\x0cFinding A.2 - Grant closeout procedures. The audit recommends that the Corporation\ndevelop a consistent method of identifying expired grants; enforce timely administrative closeo\nof grants; communicate the importance of semiannual FSRs to applicable grantees; and\nfollow-up procedures when grantees are late.\n\nCorporation Response - The Corporation has implemented a consistent method of identifying\nexpired grants, but needs to implement additional controls to ensure grantees submit closeout\ndocuments on time and accurately. We are modifying the closeout processes in eGrants to send\nautomatic notifications to grantees 30 days before their grant expires instructing them on the\nsteps for closeout and informing them that their FSRs must be submitted within 90 days of the\nexpiration date of the grant. Grantees will be informed that access to their accounts at HHS ma.\nbe denied if their reports are late. eGrants will send a series of reminders to grants staff and\ngrantees to make sure they are aware of upcoming deadlines.\n\nIn addition, the Corporation is preparing an instructional document on the closeout process that   1\ninstructs grantees on how to reconcile their records and reports and update the HHS Payment 1\nManagement System to facilitate the closeout process. These new processes and follow-up\nprocedures should ensure that the Corporation tracks the closeout process effectively and\ncloseouts are not delayed because of grantee reporting delinquencies. The eGrants                1\nenhancements are scheduled to be completed by March 2005 and the instructional document wil/\nbe disseminated to the field by June 2005.                                                       1\n\nFinding A.3 - Member file documentation. The audit recommends that the Corporation                     !\ndevelop policy guidelines that comply with established regulations for adequate proof of\ncitizenship and age eligibility for NCCC and VISTA and reinforce its policy and guidance to\nensure that member files contain all such documents for all programs.\n\nCorporation Response - The Corporation will reinforce its policy and provide guidance to               ii\ngrantees, NCCC and VISTA staff to ensure that member files properly document eligibility.\n                                                                                                       I1\nFinding A.4 - Member enrollment and end-of-term form processing. The audit recommends\nthat the Corporation reemphasize the importance of timely processing member exit information\nwithin the allotted 30-day period following a member\'s completion of service.\n\nCorporation Response - The Corporation recently reemphasized with its grantees, state offices\nand sponsors the importance of timely processing of member exit information. In addition, the\nCorporation will regularly review performance in this area to ensure compliance with the      I\nrequirement. [Final Action Completed]                                                         !I\n                                                                                                            I\nFinding B.l - Interest forbearance procedures. The audit recommends that the Corporation 1\nreemphasize the importance of following this approval policy and periodically conduct reviews 1\nof data to ensure that all interest forbearance requests of more than $5,000 are verified and I\napproved before payment.                                                                      I\n                                                                                                            !\n\nCorporation Response - The Corporation reemphasized to Trust staff the need to ensure that all I\ninterest accrual documents are approved by the Trust Manager prior to payment. Additionally, !\nthe Trust Manager will monitor this process to ensure that any such payments are properly                       I\n\n\napproved. [Final Action Completed]\n\x0cFinding B.2 -Trust disbursement procedures. The audit recommends that the Corporation\nmodify the current Standard Operating Procedure to include a procedure on how to process a\npayment when the institution does not provide adequate information regarding start and mid-\npoint dates.\n\nCorporation Response - The Trust Standard Operating Procedures (SOP) allows administrativ\nstaff some flexibility in processing split payments. The SOP states: "lfthepayment is for currer\neducational expenses and exceeds $1,500, you should split the payment into two equal amounts\nunless the midpoint date given for the enrollment period has already passed or is less than 30\ndays in the future. In that case, pay the full amount. No split should be made for payments to\nloan holders, regardless of thepayment amount. " In addition, staff must weigh when the\nvoucher request is received in conjunction with the payment dates or if adequate information is\nnot reflected on the voucher. The Trust manager will monitor this process to ensure that\npayments are made properly. [Final Action Completed]\n\nFinding B.3 - VISTA member partial awards are inconsistent. The audit recommends that\nTrust personnel coordinate efforts with the Office of Information Technology to correct the\ndeficiency in e-SPAN that allowed this condition to occur.\n\nCorporation Response - The Trust Office has submitted a system change request to resolve th\ndiscrepancy in the eSPAN system and prevent granting of award when a member has not\ncompleted the requisite minimum service. The changes are scheduled for implementation by th\nend of December 2004.\n\nFinding C.l - Debt collection. The audit recommends that the Corporation review and\nemphasize debt collection policies to Corporation staff and implement monitoring procedures tc\nensure that policies are followed and files are properly maintained.\n\nCorporation Response - The Corporation has reemphasized debt collection policies to\nCorporation staff and will monitor procedures to ensure that policies are followed. [Final Actiol\nCompleted]\n\nFinding D.l - Overtime approval. The audit recommends that the Corporation clearly\ndocument and distribute its policy that overtime be approved in advance and in writing and all01\ntimekeepers to reject employee timesheets without proper attachments.\n\nCorporation Response - In a December 15,2004 message to timekeepers the Corporation\nreemphasized that overtime must be approved in writing and that timekeepers should reject\ntimesheets requesting overtime that are submitted without proper approval. The Office of\nHuman Capital will periodically review timekeeper performance in this area to ensure\ncompliance. [Final Action Completed]\n\nFinding E.l - Vendor payments. The audit recommends that the Corporation place stricter\ncontrols over responsible offices; reemphasize the importance of timely payments; investigate\noffices with delinquent payments; and resolve bottlenecks in the disbursement process.\n\nCorporation Response - While the Corporation\'s prompt pay interest is minimal we are\nstriving to reduce the amount to zero. To that end OPS conducted in-house training for all\n\x0cpersonnel involved in the invoicing process on December 14th. As an additional measure, OPS\nplans to implement a suspense system enabling it to go directly to the responsible COTR and\ninsure that invoices are processed in a timely manner. [Final Action Completed]\n\nFinding F.l -General information security controls. The audit recommends that OIT: ( I )\ncomplete its efforts to fully migrate from Windows NT to Windows 2000 and create minimally\nacceptable baseline configurations for all server operating systems that adequately address\nsecurity and comply with Federal guidance; (2) continue with the planned upgrade of the\ndatabase to Oracle 9i, ensure that technical guidance for Federal systems, such as the CIS\nBenchmark, is followed during and after implementation of the new version of Oracle, and crea\na minimally acceptable baseline configuration for the Oracle database management system that\nadequately addresses security and complies with Federal guidance; and (3) document policies,\nprocedures, and standards.\n\nCorporation Response - OIT constantly reviews configuration recommendations from many\ndifferent sources including NIST and NSA and applies them as necessary. OIT has created a\ndetailed test-to-production scheme for all operating system changes and performs upgrades on j\nservers in an order that insures the maximum protection of mission critical servers. All servers I\nadhere to a consistent baseline software configuration, which is verified at the completion of\nevery server build. The remaining NT servers are being phased out of production as replacemer\n                                                                                                    I\nfunctionality can be placed online; this is expected to be completed by June 2005.\n\nOIT is currently in the process of creating a true Oracle specific server farm which will include\nrigid test-to-production scheme for all system changes. As a part of this process, the Oracle\ndatabases will be upgraded to version 9i. OIT currently reviews all software and configuration\nrecommendations from many different sources including Oracle, NIST and NSA and applies\nthem as necessary. All servers adhere to a consistent baseline software configuration, which is\nverified at the completion of every server build.\n\nOIT reviews its processes and policies on an on-going basis and makes changes or develops nev\npolicies as necessary on an on-going basis. [Final Action Completed]\n\nG.1 - Property records between Headquarters and Service Centers do not always agree.\nThe audit recommends that the Corporation coordinate property custodian activities and review\nCorporation Policy Number 500 regarding property management.\n\nCorporation Response - OAMS staff will coordinate property custodian activities and ensure\nthat Corporation Policy Number 500 is updated, available, understood and properly followed. I\naddition, OAMS staff will perform periodic site visits to ensure that the property policy is\nimplemented properly and understood by the property custodians.\n\ncc:    Andrew Kleine\n       Rosie Mauk\n       Howard Turner\n       Merlene Mazyck\n       Peter Hill\n       Peg Rosenberry\n       Tory Wilson\n\x0c'